You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Purityscan Win32/clspring.gs Pop-up Trojan Infection

I have faithfully followed each of the 9 steps wisely recommended by this site multiple times without success. On boot up I have found this trojan populates the temporary internet file folder with cookies, ico, gif, and jpg files for generating pop-up ads, along with an lupdate-4395[1].000 file, sometimes a www.whatsmyip.com file, and other files (see below). It also uses other folders and generates other clspring-related files seemingly at random. It also appears to keep putting a "click to identify errors" icon on the desktop whiich I keep deleting.

I think it MAY have come in (not sure) from an unsolicited pop-up that immediately started aggressive downloading some bogus "make your computer go faster" software that would not respond to cancelling. The pop up ads say "outerinfo" along the top of the dialogue box but the ads are for motorolla phones, etc.

My att/yahoo security system (Computer Asscociates) calls it Win32/Clspring.GS, deletes the lupdate-4395[1].000 file it identifies, or calls it Win32/Matcash.AP or Win32/Clspring!generic and deletes files in the form A0105248.exe from the C:\System Volume Infomration\_restore{###....\RP544 folder. It claims to clean it, but it always comes back on reboot and rescan 3 times.

Ad-Aware also found it calling it Purityscan, claimed to delete it, but it always came back on the reboot and was found and allegedly deleted again on re-scan 4 times.

Spybot S&D didn't find anything twice.

Trend Micro Housecall calls it variantly ADW_Puritysca.cp,, ADW_Puritysca.CD, Adware_Purtyscan (alias: Clickspring, Purityscan) and also finds and "cleans" it, but it always comes back on reboot and rescan which I tried 3 times.

I'm running Win XP and checked today and confirmed it is fully updated.

I was relying on the Win XP firewall the past few months (a recent update of my ZoneAlarm FW could not cohabitate with att/yahhoo online security package so I had to uninstall it) - lesson learned. Today I installed Comodo Pro FW which at least PC magazine thinks is the best free FW.

My Hijack log is below. I'm out of bullets and clueless at this point. I would GREATLY appreciate any help from you experts!!!

BC AdBot (Login to Remove)

Welcome to the BleepingComputer HijackThis Logs and Analysis forum naturefreakMy name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktopClose any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.

SO GLAD to have you onboard! Thanks SO MUCH!!! Combofix and Hijack logs follow below.

A few other points. I installed Comodo FW but currently have it disabled as it (or something else I added yesterday at "bleepings" direction) is disabling my ATT/Yahoo internet access (IP address in IP config gets messed up somehow, modem has to be reset, modem re-addressed in IE, etc.). I would have replied sooner, but it took me most of this morning to get internet access. This internet access problem is now a bigger one than my trojan problem, but one thing at a time. Anyway, I'm temporarily back to just Win XP FW for now to try and stay online.

However, while using Comodo I learned that the following files REPEATEDLY request access to the internet which I denied: sychost.exe which I believe is malware and also CFD.exe. Other files requesting internet access I didn't recognize include d?xplore.exe and dexplore.exe. Hopefully this tells you something. For the moment I assume these now have access once again with the Win FW.

Launch SuperAntiSpyware and click on 'Check for updates'.Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'. Make sure all browser and all Windows Explorer windows are closed before fixing:O4 - HKCU\..\Run: [Byddojyx] "C:\Documents and Settings\HP_Administrator\My Documents\??pPatch\d?xplore.exe"O4 - HKCU\..\Run: [Scbu] "C:\WINDOWS\SCURIT~1\ping.exe" -vt ndrvExit Hijackthis.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.Make sure everything found has a checkmark next to it,then press 'Next'.Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:Click on 'Preferences'.Click on the 'Statistics/Logs' tab.Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.It will then open in your default text editor,such as Notepad.Copy and paste the contents of that report into your next reply.Also post a new Hijackthis log,let me know how your pc is running now.

I did as you asked. See my and Hijack Logs below. As you can see, the SUPERAntiSpyware found the usual suspects some of the other AV programs found related to the purityscan/clickspring trojan plus perhaps a few more. It even found one related to "outer info" whose name appears in the title of the ad pop up boxes. Please advise.

Double-click ATF-Cleaner.exe to run the program.Click 'Select All' found at the bottom of the list.Click the 'Empty Selected' button.

If you use Firefox browser, do this also:Click Firefox at the top and choose 'Select All' from the list.Click the 'Empty Selected' button.NOTE:If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:Click Opera at the top and choose 'Select All' from the list.Click the 'Empty Selected' button.NOTE:If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore. In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'. In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'. The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.The 'Select Drive' box will appear,click on Ok.The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.At the bottom in the 'System Restore' window,click on the 'Clean up...' button.A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.Click on 'Yes' at 'Are you sure you want to perform these actions?'.Now wait until 'Disk Cleanup' finishes and the box disappears.

I did all of the steps you asked and ran Ad-Aware again and this time it found nothing but tracking cookies. You are right it does seems to be gone now. THANKS SO MUCH!!!

After reading Bleepings prevention page you recommended, I thought if I added a decent FW (see 1 below) and perhaps an active spyware catcher (see 2 below) to what I already have (Yahoo/ATT security package from Computer Associates including a spyware scanner, active anti-virus + scanner, pop-up blocker, and e-mail protection, all automatically updated daily) I'd have at least halfway decent security with daily updates, the fewest changes to my system, and the most compatibility and least problems with the ATT Yahoo browser and security applications. Regarding that, if you don't mind, a few questions:

1) I tried turning the Comodo FW back on, but on every reboot it still corrupts the IP address in ip config, shutting off my internet access. I then have to turn off the Comodo and turn on the wimpy MS FW, reset the DSL modem, and search the IP address in IE to get me back on-line with ATT/Yahoo. Any idea what's wrong here? If not, is there another forum you can point me to?

2) Apparently Ad-Aware and SuperAntispy have active real-time prevention capabilities. Is it OK/Advisable to turn one of these on (I assume both would create a potential conflict?) to actively prevent spyware intrusions, or will they likely clash with my CA AV or FW? Or the prevention page touts Spyware Blaster, would that be a better choice?

3) I now have many different stand alone spyware scanners (SuperAntispy, SpyBot, Adaware, McAfee Stinger + my CA spyware scanner). Which one(s) of these (or others) do you recommend I use regularly to maintain a vermin free PC?

4) Which browser do you recommend for security and compatability, IE7 or Firefox? The Yahoo/ATT browser is a skin over IE with a few extra benefits (sidebars, tabbed browser pages, etc.) that I like. I upgraded to IE7 automatically from an MS update early this year, only to migrate back to IE6 due to a few glitches (perhaps an ATT/Yahoo browser problem?). Firefox would be a major change and raises compatibility issues with the ATT/Yahoo security package.